如何整合基於angularjs和java jaas的身份驗證？

Question

我有一個web應用程序，前端有angularJS，後端有Java。 Angular通過Restful Web服務通過HTTP消費和發送JSON來與java後端進行通信。我需要爲這個應用程序構建身份驗證機制，並想知道如何纔是最好的方法，目前我正在使用基於JAAS的身份驗證（JDBC用戶表）。這是我的應用程序是如何配置：

我的web.xml配置有：

<login-config> 
     <auth-method>FORM</auth-method> 
     <realm-name>userauth</realm-name> 
     <form-login-config> 
      <form-login-page>/login.html</form-login-page> 
      <form-error-page>/loginError.html</form-error-page> 
     </form-login-config>     
    </login-config> 

    <security-constraint> 
     <display-name>ConstraintSSL</display-name> 
     <web-resource-collection> 
      <web-resource-name>protected</web-resource-name> 
      <description/> 
      <url-pattern>/checkout/*</url-pattern> 
      <url-pattern>/login/*</url-pattern> 
      <url-pattern>/login.*</url-pattern> 
      <url-pattern>/account/*</url-pattern> 
      <url-pattern>/ad/create</url-pattern> 
      <http-method>GET</http-method> 
      <http-method>POST</http-method> 
      <http-method>HEAD</http-method> 
      <http-method>PUT</http-method> 
      <http-method>OPTIONS</http-method> 
      <http-method>TRACE</http-method> 
      <http-method>DELETE</http-method> 
     </web-resource-collection> 

     <user-data-constraint>   
      <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
     </user-data-constraint>   
    </security-constraint> 

    <security-constraint> 
     <display-name>ConstraintUser</display-name> 
     <web-resource-collection> 
      <web-resource-name>user</web-resource-name> 
      <description/> 
      <url-pattern>/account/*</url-pattern> 
      <http-method>GET</http-method> 
      <http-method>POST</http-method> 
      <http-method>HEAD</http-method> 
      <http-method>PUT</http-method> 
      <http-method>OPTIONS</http-method> 
      <http-method>TRACE</http-method> 
      <http-method>DELETE</http-method> 
     </web-resource-collection> 
     <auth-constraint>  
      <description/> 
      <role-name>ADMINISTRATORS</role-name> 
      <role-name>USERS</role-name> 
     </auth-constraint> 

     <user-data-constraint>   
      <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
     </user-data-constraint>   
    </security-constraint> 

    <security-role> 
     <description/> 
     <role-name>USERS</role-name> 
    </security-role> 
    <security-role> 
     <description/> 
     <role-name>ADMINISTRATORS</role-name> 
    </security-role> 

    <session-config> 
    <session-timeout>30</session-timeout> 
    <tracking-mode>COOKIE</tracking-mode> 
    </session-config> 

    <welcome-file-list> 
    <welcome-file>init.html</welcome-file> 
    </welcome-file-list> 

init.html只重定向到它加載的角度，並開始實際應用一個index.html頁面。

現在，這裏是我的UserController中負責處理在客戶端（瀏覽器）用戶相關的活動：

myControllers.controller('UserController', ['$scope', '$routeParams', 'UserService', 
    function($scope, $routeParams, UserService) { 
    $scope.logged = false; 

    // if User is not detected by cookie 
    $scope.user = fetchUserFromCookie(); 

    if (! $scope.user) { 

     // set default guest user 
     $scope.user = {   
      firstName : 'guest', 
      lastName : 'user', 
      preferredCurrency : "USD$", 
      sessionHash: "XXXXXX", 
      shoppingCart : { 
       totalItems : 0, 
       total : 0 
      }   
     };  

    } 

    $scope.login = function(userName, pass) { 
      $scope.user = UserService.login(userName, pass);    
      $scope.logged = true;  
    }; 

    $scope.logout = function(userName) { 
      $scope.user = UserService.logout(userName); // warn server side you're logging out 
      $scope.logged = false; 
      $scope.user = null; 
    }; 

    }]); 

我的目標是提供一個登錄頁面與基於JAAS JDBC認證，並只允許那些用戶，其具有特定的ADMIN角色或USER角色來查看某個頁面，如何在基於angularJS + Java的應用程序中實現此目的？

• 我的主要問題是與會話跟蹤，

• 如何跟蹤特定用戶授予訪問權限，並有權更改特定的記錄？

• 如何防止手動更改手動更改JS代碼或更改Cookie以劫持用戶會話？

Answer 1

• index.html頁面應該包含令牌裏面的html避免CSRF
• 令牌不應該被存儲在cookie存儲
• 每個請求應與頭PARAM簽署
• 服務器應通過傳遞標頭驗證每個請求
• 如果必須使用Cookie，則應該驗證引薦人以防止CSRF